Last week a Malaysian man was charged for hacking into the Federal Reserve Bank of Cleveland’s computer systems and for stealing more than 400,000 credit and debit card numbers. Later on IDG News reported that the Fed said he only broke into a test Fed system and that the Fed doesn’t process card numbers so the card data couldn’t have been stolen there, nor was there any sensitive information stolen during the hack.
Whatever the case, it does remind me and probably many of you – that banks are not subject to PCI enforcement. Try to find a PCI related deadline for card issuing banks on the Visa or MasterCard websites and you will come up noticeably short.
I remember moderating a panel at a Federal Reserve Bank conference about two and a half years ago, with the card brands and major U.S. merchants present. A treasurer at a top global merchant was noticeably irked when he asked the Visa rep on my panel when he could get a list of PCI compliant bank card issuers. The Visa panelist deflected the question.
It’s one of those parts of PCI enforcement that demonstrates the lack of a level playing field across banks, merchants, and merchant service providers. And its too esoteric an issue for Congress and the federal regulators to take on right now. They do seem to be making headway in breaking the secret circle and decision making process that dictates interchange fees, which should give merchants more power when it comes to payments. It would be nice if the security part of the card payment food chain equation were fair as well, but don’t hold your breath.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.